During the inaugural night of Black Hat USA, I engaged in conversation with a pair of affable penetration testers, whose curiosity was piqued when I revealed my profession as a software developer.
You’d likely be attending a cybersecurity convention to stay abreast of the latest threats and best practices in protecting your organization’s digital assets.
What were my expectations from this endeavour?
When meeting others who were puzzled by my involvement in both areas, I explained that I required additional training in basic cybersecurity measures to better navigate the rapidly evolving landscape of artificial intelligence advancements.
Despite my unwavering conviction, I confess to having felt slightly out of place. The realms of cybersecurity congregate at renowned events like BlackHat and DefCon, where experts in penetration testing, threat assessment, and moral hacking converge with like-minded professionals. Cybersecurity conferences are highly regarded and respected in their unique right. As I navigated the space, I encountered talented engineers, a thought-provoking audio system, and esteemed international researchers.
None of the individuals I encountered were architects by profession.
As a seasoned attendee at industry-leading cybersecurity conferences, I can confidently assert that builders gain significant value by participating in such events.
Five compelling reasons why builders should consider incorporating cybersecurity conferences into their professional development:
1.
At BlackHat conferences, the divide between builders and security professionals remains stark, with these two groups rarely intersecting despite the necessity for greater collaboration.
While innovation and safety may seem like distinct concepts, they are inextricably linked, regardless of role or departmental boundaries – a connection that starts at the very foundation: code level? Adopting Shift Left has highlighted the importance of developing high-quality, secure code early in the software development lifecycle. While ensuring safe code is crucial, it’s not synonymous with simply providing it.
The rise in awareness and recognition of the importance of coaching, as well as the conscious effort to adopt coaching practices, undoubtedly plays a significant role. According to a survey by The Linux Foundation and OpenSSF, 75% of software developers revealed that they had never taken a course on secure software development, primarily due to a lack of awareness about high-quality training options, with insufficient time being another significant obstacle. The apparent dearth of knowledge and coaching might partly explain why, with a staggering 46% of companies harbouring “critical” safety debt.
Can a company afford not to address its safety debt, given the devastating consequences of a catastrophic failure or accident that could imperil lives and reputations?
If they are oblivious to its existence in the first instance?
This sparked my Cisco DevNet podcast series. The present aims to bridge the gap between builders and the cybersecurity community.
As you delve into the archives of notorious cyber breaches from the 1990s and early 2000s, a persistent pattern emerges:
Despite my commitment to trustworthiness, I must confess that upon graduating with a Master’s degree in Software Engineering in 2021, security was still an afterthought – let alone emphasized – at that point in time.
I am not singular in my sentiment. According to the State of Developer-Driven Security Survey conducted by Evans Knowledge Corp for Safe Code Warrior, statistics suggest that builders who confidently write secure code exhibit a wide range, with many considering their teams to possess “stellar expertise” in crafting vulnerability-free code.
Acquiring a solid grasp on simple techniques for writing secure code can significantly reduce the accumulation of technical debt, as previously mentioned.
At cybersecurity conventions, you simultaneously gain knowledge of sound coding practices through DevSec and AppSec presentations and foster a security-conscious software development approach.
As cybersecurity threats continue to evolve at an unprecedented pace, it is imperative that we adapt our mitigation strategies and safety protocols with equal velocity. At Black Hat this year, Generative AI sparked immense fascination, primarily because the creation and related tooling are rapidly evolving, leaving us with only a faint understanding of security best practices or innovative attack detection. Developers and various engineering professionals involved in GenAI have a professional responsibility to thoroughly understand the security and privacy risks associated with the GenAI systems they are designing and maintaining.
At DefCon, I was pleasantly surprised by the abundance of offerings; nevertheless, my standout experience as a first-time attendee was undoubtedly the Villages. A variety of distinct cybersecurity “Villages” exists, ranging from AI safety to social engineering to biohacking, where attendees engage in experiential activities. The AI Safety Village enabled participants to craft their unique deepfakes, and I ventured into LLM-based purple teaming via a Seize the Flag-style challenge.
The greatest pursuit is often a facade, rather than reality. Professional developers often face prolonged working hours and immense pressure, leading many skilled coders I’m familiar with to take pride in crafting exceptional software, despite numerous hurdles.
By integrating builders into the cybersecurity framework, we could facilitate a deeper understanding of the coding practices required for secure software development, thereby bridging the gap between these two crucial disciplines. While this might imply that we’ve developed enhanced DevSec/AppSec parlance, exemplify instances; or that we foster the development of security tools and protocols that simplify our existence rather than
And most vital of all?
Effective cybersecurity training equips professionals to craft meaningful objectives with unwavering confidence, remaining authentic to their original passion for building and innovation that initially drove them to become creators.
Stay tuned for updates on our latest podcast by subscribing to get notified about new episode releases. The present aims to close the gap between builders and the cybersecurity community through relaxed and informative dialogue.
Share:
